NIST Releases Voluntary Standards For IT Infrastructure Security

The National Institute of Standards and Technology (NIST) is circulating a draft of voluntary standards it is developing for the critical infrastructure of IT security. The framework, when fully developed, will outline security functions and standards based on a risk-management approach in five areas, summed up by the adage “Know, Prevent, Detect, Respond, Recover.”

In large part the framework is geared toward helping organizational IT leaders understand how they can prevent cyber attacks or find, stop and recover from one.

In February, President Barack Obama signed an executive order directing NIST, under the Department of Commerce, to develop a framework that would let critical infrastructure organizations use common IT security standards — “critical infrastructure” being defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.”

In the wake of the Department of Veterans Affairs’ apparent hacking by Chinese and other foreign organizations, and after several hospitals lost power during Hurricane Sandy, helping organizations from electricity utilities to health systems improve cybersecurity is a small but significant federal priority.

NIST’s draft standards are still a work in progress, the agency wrote in a document opened to review ahead of workshops being hosted in San Diego later this month.

The framework is being developed through a private-public partnership, with input from a mix of companies, nonprofits and government agencies, with state public health agencies being one group that stand ready to adapt to new IT security needs as their role in infectious disease monitoring and reporting grows in tandem with digital health reporting.

Outlining awareness, documentation, tracking and protocol processes and their accompanying NIST references, the technical standards discussions and examples are primarily the province of IT leaders and specialists.